a couple years ago I was asked to find public source numbers on the subject. A interesting trivia was that all the major law enforcement websites had public sections for drug related crime ... but the computer crime sections all required authorized access. I did find some supportive (public) evidence but it was in very obscure indirect references.

One significant issue is that cybercrime can include non-internet financial crime that happens to involve dataprocessing. These events tend to be ones that large institutions (especially financial) are extremely adverse about making public. In the 90s financial infrastructure protection meetings, one of the major topics was whether the financial industry ISAC .. aka information sharing, would be subject to FOIA (the FI-ISAC specifically being structured so as to be not subject to FOIA)
http://www.fsisac.com/

While there is a natural desire to have a single number to describe cyber-crime losses, the complexities are such that I'm dubious in attempts to reach that number.

First, we have the problem with combining categories that have different kinds of "losses". For example, a "loss" to an on-line pharma sale seems qualitatively different from a "loss" from a stolen credit card. The former has many kinds of loss components, there is a potential public health loss if the quality of the drugs is sub-standard and there is a potential loss to the brand/patent holder (if we assume that the drug would have been legitimately purchased otherwise) but no real financial loss to the consumer. Indeed, the consumer purchased something and got something... this is a loss in the same way that I feel the money I spent on the Green Lantern movie was a loss. By contrast, a stolen credit card loss represents a real and direct financial loss (although ultimately not to the consumer... most likely to a merchant exploited in reshipping fraud) and also will introduce extraneous losses to the issuer (for new cards and the acquirer for processing chargeback transactions... although these are probably passed to the merchant). Intellectual property losses are even more complex to value.

However, even if we put these loss complexities aside and focus instead on the revenues generated by cybercriminals (within categories for which revenues are well defined... spam, phishing, bank account theft, etc) it is still difficult to extrapolate from one set of measurements to another. For example, the work by Kanich et al. provides an empirical mechanism for estimating of order volumes for a range of big on-line pharma vendors (if you assume ~$150-200/order you get close to ground truth for pharma). Based on this, it seems likely that on-line pharma is in the $100-150M/yr range. However, its unlikely that one can extrapolate from this data to another category like Fake Antivirus. For example, FakeAV can attract a much larger set of customers (larger inherent market for fear than for ED drugs) and has a lower cost structure. Thus, the recent paper by Stone-Gross et al. showed just two FakeAV programs pulling in $45M annually each (even more telling a third program, which was less well managed, only averaged ~$4mm). Similarly, I expect to find few similarities between phishing losses and losses due to banking trojans. Little similarity between credit card losses and those that involve ACH transfers from bank accounts. Each has its own operational complexities which can dramatically impact the revenue that can be streamed through.

If we care about making judgement that can be supported by empirical data I thin we need to couch our discussions within particular criminal ecosystems and the finances therein. Even this is hard, but its a goal I think we have experience with and some hope of achieving.